Stick 'em up! —

McAfee Labs predicts the decline of Anonymous

Security firm also says mobile malware will be the new urban alley mugging.

Computer security firm McAfee Labs released its annual Threat Predictions report today, taking a look at what we'll see (and hope not to see) on 2013's deck of malware and viruses. Interestingly, McAfee's analysis predicts a decline in Anonymous' attacks, a rise in the frequency and sophistication of mobile malware, and a rise in large-scale attacks that aim to cause as much destruction as possible.

This time last year, McAfee's report for 2012 predicted that “Hacktivism and Anonymous will reboot and evolve.” While this year didn't see anything on the level of the hacks of Sony and HBGary from 2011, Anonymous did execute a number of high-profileattacks and threats. Now McAfee says that in 2013, hacktivisim will be conducted by more homogeneous, politically-motivated groups rather than Anonymous' pantheon of personalities and pet causes. Still, McAfee suggests that Anonymous may be able to stage a few high-visibility attacks in the coming months despite its predicted decline. The report reads:

Sympathizers of Anonymous are suffering. Too many uncoordinated and unclear operations have been detrimental to its reputation. Added to this, the disinformation, false claims, and pure hacking actions will lead to the movement’s being less politically visible than in the past. Because Anonymous’ level of technical sophistication has stagnated and its tactics are better understood by its potential victims, the group’s level of success will decline. However, we could easily imagine some short-lived spectacular actions due to convergence between hacktivists and antiglobalization supporters, or hacktivists and ecoterrorists.

The analysts go on to say that smaller groups with extremist views will redouble their efforts to hack bastions of democratic societies, improving their tactics “in sophistication and aggressiveness.”

In a similar vein, McAfee's report predicts “[l]arge-scale attacks like Stuxnet that attempt to destroy infrastructure, rather than make money.” While Ars reported on many a credit cardscam this year, McAfee says those kind of hacks could pale in comparison to malware for malware's sake, choosing wanton destruction over profitable thievery.

But petty thievery will thrive in the mobile space, according to McAfee's report: trojans that buy apps from an app store without the user's approval and ransomware that bricks phones until the user pays a fee to the hacker are both pointed out in the report as types of hacks that have the potential to become much more common. Ransomware on the PC will also become more common next year, and McAfee notes that instances of this type of hack have “more than tripled during the past year.”

52 Reader Comments

A few months ago there was a very informative interview with Parmy Olson on the 'Surprisingly Free' podcast. She wrote the book, "We are Anonymous: Inside the Hacker World of Lulzsec, Anonymous and the Global Cyber Insurgency" and her detailed descriptions how Anonymous came into being and what it is evolving into seem to be a much more accurate take on the matter than this typical corporate viewpoint from McAfee.

I am not all that surprised. Like all things on the internet popular stuff only stays popular for a few hours and then its gone. Look at when Anonymous says anything. People laugh it off now. Their threats have no meaning and no substance. Though I would expect an attempt at them resurfacing with a more dangerous style attack against something like a SCADA system just to get themselves press coverage and to get the world to pay attention to them again. They have hinted at interest with SCADA system attacks and the leaders behind the fold are typically more then simple script kiddies.

I've always had the feeling that the greatest victory of "Anonymous" was in how it got so many comentators talking about Anonymous as some sort of monolithic group when it's really just a label that has been used by a lot of different groups and individuals with little actual overlap. Kind of like how in the 1980's Unix was used as a label for different often wildly incompatible operating systems. A decline of "Anonymous" would probably mean more groups identifying with unique names like Lulz Sec and Goatse Security while people labeling themselves anonymous declines.

I would probably listen to a 5 year old's take on Anonymous than a CNN OFFICIAL INSIDER REPORTER "Parmy Olsen".

There is no true "decline" in Anonymous, rather, more people who've put work in for that group identifying themself. For one cannot truly have identity if one does not have a name. Of course, there are repercussions for choosing to do so. LulzSec faced such consequences firsthand when their leader Sabu snitched to the feds in exchange for leniency when he plead guilty.

As Anonymous has no true spokesperson or leader, rather, a sleeper cell of ennea-thousand+ persons willing to act for a cause that is "just", it is only a matter of time before we see our neighborhood-friendly Anonymous in Ars again.

I am not all that surprised. Like all things on the internet popular stuff only stays popular for a few hours and then its gone. Look at when Anonymous says anything. People laugh it off now. Their threats have no meaning and no substance. Though I would expect an attempt at them resurfacing with a more dangerous style attack against something like a SCADA system just to get themselves press coverage and to get the world to pay attention to them again. They have hinted at interest with SCADA system attacks and the leaders behind the fold are typically more then simple script kiddies.

Few people realize SCADA is also over VHF and UHF radio. A damn good thing the kiddies only play wirh computers.

Mobile malware. That's bad. There's no true task manager on mobile devices, no file system explorer, no rootkit revealer, no way to see which drivers are loaded, no netstat to discover strange connections with, and no admin rights. If you get hacked you won't know it. Always on 24/7 wireless connection and the device is also always on will give hackers plenty of opportunity. Even if the hack were discovered, the recovery is going to be a firmware reflash or a backup image restore, and then only after the vendor patches whatever exploit the hackers had used to get in, or it'd just happen again. Not pretty.

Mobile malware. That's bad. There's no true task manager on mobile devices, no file system explorer, no rootkit revealer, no way to see which drivers are loaded, no netstat to discover strange connections with, and no admin rights. If you get hacked you won't know it. Always on 24/7 wireless connection and the device is also always on will give hackers plenty of opportunity. Even if the hack were discovered, the recovery is going to be a firmware reflash or a backup image restore, and then only after the vendor patches whatever exploit the hackers had used to get in, or it'd just happen again. Not pretty.

Huh, that's odd...

Advanced Task Killer: A process monitor and killer for Android, which can even be automated to keep uninstallables on a non-rooted device from harassing you.

*Root Explorer: A beast of a file manager with many handy features like browsing SQL DBs and working with archives / tarballs.

*Stack Overflow: Two methods (one of which confirmed working) of displaying active drivers on an Android device.

*Netstat: Basic netstat implementation for Android; found a couple others in search, but this one appears to be the better of them.

*Terminal Emulator: For good measure (and here's a thread compiling some useful CLI commands that will work for you; this may vary between devices somewhat).

Rooting an Android device is (usually) relatively trivial, so there's your proper admin perms (though the lack of the ability TO get / grant admin perms is, in itself, some defense against malware, if not iron-clad). Even a locked bootloader won't prevent rooting, custom roms, or using applications or commands that require root permissions. And the bootloaders on popular devices will tend to be cracked eventually anyway, enabling custom kernels and radios as well.

Rootkits are always pesky buggers, regardless of the platform. There's not exactly a lot of ways to catch them (or even notice them vs simply a poorly-built application causing issues; hell, you could theoretically write one to even have it show another app as being the cause of the hogged resources). This isn't limited to the mobile space, either. For some basic info on the topic you can reference the wiki. I also managed to find what looks like an interesting paper (PDF) on the subject of Android rootkit detection, though I haven't taken the time to read it yet.

As to the always-on nature increasing exposure, while this is technically true, this is typically only a real issue AFTER infection, not when it comes to GETTING infected. Other than something randomly trying IPs and ports, or a targeted attack, you aren't really creating much additional exposure by leaving it running all the time (and let's be honest, a significant number of people these days, especially in the US were electricity is much cheaper than Europe, tend to just leave their computers running 24/7 anyway, so this isn't unique to mobile devices). You're far more likely to see malicious apps as a vector, followed (eventually) by drive-by downloads.

Finally, regarding recovery, it's no different than any other platform. Oh, sure, you can try to clean the machine up, but in the other 99% of cases it's far more time-, effort-, and cost-effective to simply wipe the device in question, be it a smartphone, a tablet, or a traditional desktop or laptop computer (this is especially true of windows, which lacks any meaningful first-party recovery tools, and even the semi-decent, partially-effective third party tools tend to be prohibitively expensive for a normal user; how much is ERD Commander these days? Oh wait, you can't, it's only available via the scams, I mean "service plan subscriptions" that are required to purchase enterprise and volume licenses now. And that's been gimped to hell since MSFT bought it). Point is, this isn't a point against mobile devices compared to other computers; the simple fact is that if you're infected, the only guaranteed fix is to wipe and start over.

I doubt that we will see any major attack in iOS, sure... We will see malware but not at the level of hacking. iOS is the mobile version of OS X, which never had any major hacking attack at the level of Windows. There are malware but easy to fix.

That said, if your standard for measurement is Windows you'll be hard-pressed to ever find someone that looks bad in comparison. They've improved greatly, but when priority one is vendor lock-in, followed by backwards compatibility, you can't be asked to expect too much. But then again they're moving in the app store direction (already there on mobile), so there's that... You just won't be able to actually do anything you CHOOSE, just what they tell you you're allowed to, as with Apple products.

I doubt that we will see any major attack in iOS, sure... We will see malware but not at the level of hacking. iOS is the mobile version of OS X, which never had any major hacking attack at the level of Windows. There are malware but easy to fix.

Uh... You do realize that Nicholas Allegra, AKA comex, made jaikbreakme.com, a website that could jailbreak an iOS device in one click? It's likely that the click wasn't even necessary and it could have been done just by loading a URL. Had he been a dick instead of a benevolent wizard, he could have unleashed hell upon iOS several times over.

I think Apple's doing a great job with security on iOS, but software written by humans will always be imperfect. Sandboxing and App review go a long way, but aren't silver bullets. I believe Apple's biggest security asset right now is that discovering new jailbreak techniques brings more glory than developing malware. They know this and I believe it's a big reason they've never gone after the jailbreak community. They even went so far as to give comex an internship.

I'm not a security researcher and this is only my perspective as an casual observer.

I doubt that we will see any major attack in iOS, sure... We will see malware but not at the level of hacking. iOS is the mobile version of OS X, which never had any major hacking attack at the level of Windows. There are malware but easy to fix.

Uh... You do realize that Nicholas Allegra, AKA comex, made jaikbreakme.com, a website that could jailbreak an iOS device in one click? It's likely that the click wasn't even necessary and it could have been done just by loading a URL. Had he been a dick instead of a benevolent wizard, he could have unleashed hell upon iOS several times over.

I think Apple's doing a great job with security on iOS, but software written by humans will always be imperfect. Sandboxing and App review go a long way, but aren't silver bullets. I believe Apple's biggest security asset right now is that discovering new jailbreak techniques brings more glory than developing malware. They know this and I believe it's a big reason they've never gone after the jailbreak community. They even went so far as to give comex an internship.

I'm not a security researcher and this is only my perspective as an casual observer.

Good observation from your part. I completely agree with you in all your points. I will just going to jump to the jailbreak community. Another reason that Apple never attack the jailbreaking is because they also invented new tools or apps that eventually Apple will copy and add it to iOS. I don't like jailbreaking. I rather go Vanilla but i tried many times and eventually i have to go back to the untouch OS.

How exactly is ransomware supposed to work on a phone? The first thing the user is going to do is walk the phone into their carrier's store and say "fix this.". The people at said store will likely have some bulletin with reasonably good instructions for recovery of data (some of which is already in the cloud already).

Customer walks out with different hardware, and the infected device is shipped to Security or even the FBI. Not the best outcome for a script kiddie.

I doubt that we will see any major attack in iOS, sure... We will see malware but not at the level of hacking. iOS is the mobile version of OS X, which never had any major hacking attack at the level of Windows. There are malware but easy to fix.

Uh... You do realize that Nicholas Allegra, AKA comex, made jaikbreakme.com, a website that could jailbreak an iOS device in one click? It's likely that the click wasn't even necessary and it could have been done just by loading a URL. Had he been a dick instead of a benevolent wizard, he could have unleashed hell upon iOS several times over.

I think Apple's doing a great job with security on iOS, but software written by humans will always be imperfect. Sandboxing and App review go a long way, but aren't silver bullets. I believe Apple's biggest security asset right now is that discovering new jailbreak techniques brings more glory than developing malware. They know this and I believe it's a big reason they've never gone after the jailbreak community. They even went so far as to give comex an internship.

I'm not a security researcher and this is only my perspective as an casual observer.

Good observation from your part. I completely agree with you in all your points. I will just going to jump to the jailbreak community. Another reason that Apple never attack the jailbreaking is because they also invented new tools or apps that eventually Apple will copy and add it to iOS. I don't like jailbreaking. I rather go Vanilla but i tried many times and eventually i have to go back to the untouch OS.

You do realize every new update you need to wait for a new jailbreak, yes?

The fact McAfee says this doesn't surprise me in the least. Like Iraqi Information Minister Muhammed Saeed al-Sahaf claiming all is well, there are no attacks, the foreign invaders are losing, and Iraq is better off than ever.

Hmm, a company whose main product becomes more and more unnecessary every year is predicting the future? I don't think these guys can see past the end of their own noses so I have to say I don't think I concur with their predictions.

It's clear that McAfee still dosent get the philosophy of Anonymous. But no matter.

re: Ransomware, It's ironic that right now I am reading Neal Stephenson's "Reamde" where the namesake ransomware locking up everything in Outlook until a certain amount of gold is paid in a fictional real-currency based MMORPG that replaces WoW as king of the market, is the driver of the story. It's an excellent read so far, I highly suggest.

Hmm, a company whose main product becomes more and more unnecessary every year is predicting the future? I don't think these guys can see past the end of their own noses so I have to say I don't think I concur with their predictions.

Anti-virus is not their only product. Tools like HBSS are absolutely essential in managing any kind of meaningful, granular permissions in the enterprise if your employer insists on using Windows servers and/or workstations.

Also, antivirus won't be superfluous on windows any time soon, thanks to the poor permissions system, especially on home "versions."

Finally, as noted in this very article, their predictions have been reasonably accurate in the past. You can argue that this is self-fulfilling, but the fact is they're not the only player in the market, and you note yourself, those in the know tend to avoid their anti-virus offerings because they're not very good. It would be quite difficult for the conspiracy theories blaming the messenger to be true.

Always on 24/7 wireless connection and the device is also always on will give hackers plenty of opportunity.

No. All mobile providers I've worked with over the years (which has been quite a few, both in the US and abroad) use NATing for their data networks to the device. Given the sheer number of devices out there and the dwindling number of available IP addresses, they have to use NATing, likely at the cell tower level I'm guessing. A NAT pretty much destroys any chance of doing a direct attack on the device, requiring instead to utilize a victim-initiated attack vector. The only way to get around that would involve the attackers gaining access to the cellular network, likely over an IP network rather than hijacking the radios (much harder due to authentication protocols). At which point, there's a lot more valuable information to get access to, like encryption keys.

zer02 wrote:

Sandboxing and App review go a long way, but aren't silver bullets.

There are no silver bullets for security. There's layers of defense, obscurity, and vigilance. Breaches happen, and as a previous commenter said, the higher-profile your devices are, the more likely they are to be attacked.

Since companies, governments and individuals are wising up to their tactics, hardening themselves to it, and making more successful efforts to trace and apprehend them, Anonymous has to get more fancy. In doing so, I see Anonymous splintering / dissolving a few ways ...

1) No Adaptation ... some will keep relying on the same old bag of tricks, which folks are looking for now. Thus, they're more likely to get caught/stopped.

2) Risk not worth Reward ... some are going to realize the risk involved is not worth it and bail. They all think as long as they can hide their IP they'll be perfectly safe. But, they realized their weakest attack vector is social. Because they're all "anonymous", they don't know who's a spy from a big organization, or who's gonna rat them out if the heat is turned up, or whatever. It's all fun-n-games when there's no repecussions. But, now suspects are apprehended and the hammer is being brought down. So, some will bail out as if the cops just raided an underaged keg party.

3) Risk not worth Learning Curve ... I think this is the big one ... having to think up more creative shit to do beyond just script-kiddie stuff in order to adapt and be unpredictable means more intelligence and creativity is involved ... this will cause some of them to give up; they don't want to exert themselves too hard. Take for example the members that just used the Low Orbiting Ion Cannon (LOIC) without really knowing how it worked. They just installed it and let it go to work. If the new tactics to succeed in Anonymous involve a greater learning curve to participate, then some folks will drop out.

4) Fuck it, I'm going to work for The Man we were fighting against ... some of the folks that either have or are willing to overcome the learning curve will realize it's easier to just go work for "the man" and get paid for the crazy shit they know how to do. You exploited all those holes in their system ... why not turn-coat and offer to fix all that shit as long as they pay you a security admins salary? When they work for a big corp or government, they're less likely to participate in black-ops shit that could jeopardize their nice-paying job (and possibly get them incarcerated).

5) I didn't know these assholes had ulterior motives ... some are going to finally figure out that a few members of the group are taking advantage of this shit to profit ... folks do this "ra ra, we're taking on the man and feel good about it!" song and dance, but there are key members that participate in this stuff, so a) they can get into systems and get data to sell off (or get access they can later sell to a high bidder or use to profit from a job), b) they have a group of idealist scapegoats that can take the fall for them. I think some folks in Anonymous are wising up to this, and realize they're just being used as patsies, thus bail.

Mobile malware. That's bad. There's no true task manager on mobile devices, no file system explorer, no rootkit revealer, no way to see which drivers are loaded, no netstat to discover strange connections with, and no admin rights. If you get hacked you won't know it. Always on 24/7 wireless connection and the device is also always on will give hackers plenty of opportunity. Even if the hack were discovered, the recovery is going to be a firmware reflash or a backup image restore, and then only after the vendor patches whatever exploit the hackers had used to get in, or it'd just happen again. Not pretty.

Huh, that's odd...bunch of stuff

So you are going to pretend that every mobile user is an android nerd with the knowledge and desire to root their device and/or install those apps you've mentioned?

What of iOS? Customized android? Plain vanilla android in the hands of regular people who don't know how to do any of that, and don't care?

There are no silver bullets for security. There's layers of defense, obscurity, and vigilance. Breaches happen, and as a previous commenter said, the higher-profile your devices are, the more likely they are to be attacked.

Mobile malware. That's bad. There's no true task manager on mobile devices, no file system explorer, no rootkit revealer, no way to see which drivers are loaded, no netstat to discover strange connections with, and no admin rights. If you get hacked you won't know it. Always on 24/7 wireless connection and the device is also always on will give hackers plenty of opportunity. Even if the hack were discovered, the recovery is going to be a firmware reflash or a backup image restore, and then only after the vendor patches whatever exploit the hackers had used to get in, or it'd just happen again. Not pretty.

Huh, that's odd...bunch of stuff

So you are going to pretend that every mobile user is an android nerd with the knowledge and desire to root their device and/or install those apps you've mentioned?

What of iOS? Customized android? Plain vanilla android in the hands of regular people who don't know how to do any of that, and don't care?

No, I'm going to state the fact that your blanket assertion of this horrifically insecure class of devices is, in fact, quite securable, and not actually any worse than a computer. Not to mention that nearly all of the alleged deficiencies you listed are either A) something only the technical users would know about anyway, or B) something so basic that anyone that wanted it could do exactly what I did: google it. Also, with the exception of rooting itself and the Root Explorer application, nothing listed there requires or involves root or rooting the device.

As to iOS, you're pretty much screwed, and that's Apple's fault for selling an inferior, restricted, and intentionally gimped product, and your fault for buying it in spite of those facts. What of customized Android? All of those things I listed are availble on it; same for vanilla android.

It sounds like you're arguing user ignorance and incompetence as the real issue, and trying to blame the platform itself. There's very little you can do to protect an incompetent or ignorant user, on any platform, be it Windows, OSX, iOS, Android, or even Linux and UNIX. Oh, sure, you can have a more secure base to make surreptitious infection more difficult, but at the end of the day the vast majority of infections are because of a USER clicking "ok."

All of the things I listed are easily answered with a google question in seconds, any user that knows TO ask or look for those things would immediately find them and be able to install and use them. You can't make things much easier than that.

Most importantly though, as explained previously, none of this is any different than any other computing device. Smartphones and tablets ARE computers, and with the exception of the ones that intentionally lock you out of having any real control (such as iOS and Win8) you have the same tools at your disposale as you do on a full computer.

You're at least right about one thing, though, even if you're not about anything else, and that's that I simply don't care about incompetent and ignorant users. There's nothing to be done for them. If they're willing to learn, awesome, they can learn. If not, like the vast majority, then they'll be a customer soon paying me to fix the shit that they fucked up themselves. Realistically, you don't really care about those ignorant users either, since, as stated, everything you listed as a deficiency would have only been known to a technical user anyway (and the real-world situation is the same between Android and computers; it could be on the iOS and Win8 side too, but controlling what their users can and can't do is far more important to them than security).

So you are going to pretend that every mobile user is an android nerd with the knowledge and desire to root their device and/or install those apps you've mentioned?

What of iOS? Customized android? Plain vanilla android in the hands of regular people who don't know how to do any of that, and don't care?

With the risk of sounding like an elitist, yes.

It is ultimately up to every single user to get educated and learn how to secure their systems. If you were around in the 90s, you'll remember how hard the push was about not opening attachments in emails that came from unknown sources. Because that was user education. There's plenty you can do to harden elsewhere that a user doesn't really need to know about, and that's what Android and iOS have already done.

You want to help computer security? Learn something about it, educate the users, and help them. Rather than play the role of the dramatic Jane and blame the OSes and any perceived complexity.

So you are going to pretend that every mobile user is an android nerd with the knowledge and desire to root their device and/or install those apps you've mentioned?

What of iOS? Customized android? Plain vanilla android in the hands of regular people who don't know how to do any of that, and don't care?

With the risk of sounding like an elitist, yes.

It is ultimately up to every single user to get educated and learn how to secure their systems. If you were around in the 90s, you'll remember how hard the push was about not opening attachments in emails that came from unknown sources. Because that was user education. There's plenty you can do to harden elsewhere that a user doesn't really need to know about, and that's what Android and iOS have already done.

You want to help computer security? Learn something about it, educate the users, and help them. Rather than play the role of the dramatic Jane and blame the OSes and any perceived complexity.

Wow. on the floor where you live.... the elevator is always broken and a hot blonde lives across the hall, right?

I'm a nerd too, but some of you are well and truly off the deep end.

Dude look around you next time you go out, if you go out. The 14 year olds using smartphones, the housewives, the business people, etc.... A mobile device is for all intents and purposes an appliance. The underlying OS and all its complexity is completely hidden from the user. All they see and all they know is the pretty UI, and you know what? That's a good thing for them. That's precisely why these devices became so popular, and, let's say, Linux didn't. If we lived in your fantasy world, no one would be using these devices because they wouldn't know how and wouldn't bother to learn because the folks have better things to do. Not everyone is interested in becoming a computer nerd. They have other things they are passionate about. Not everyone thinks the way you do.

So you are going to pretend that every mobile user is an android nerd with the knowledge and desire to root their device and/or install those apps you've mentioned?

What of iOS? Customized android? Plain vanilla android in the hands of regular people who don't know how to do any of that, and don't care?

With the risk of sounding like an elitist, yes.

It is ultimately up to every single user to get educated and learn how to secure their systems. If you were around in the 90s, you'll remember how hard the push was about not opening attachments in emails that came from unknown sources. Because that was user education. There's plenty you can do to harden elsewhere that a user doesn't really need to know about, and that's what Android and iOS have already done.

You want to help computer security? Learn something about it, educate the users, and help them. Rather than play the role of the dramatic Jane and blame the OSes and any perceived complexity.

Wow. on the floor where you live.... the elevator is always broken and a hot blonde lives across the hall, right?

I'm a nerd too, but some of you are well and truly off the deep end.

Dude look around you next time you go out, if you go out. The 14 year olds using smartphones, the housewives, the business people, etc.... A mobile device is for all intents and purposes an appliance. The underlying OS and all its complexity is completely hidden from the user. All they see and all they know is the pretty UI, and you know what? That's a good thing for them. That's precisely why these devices became so popular, and, let's say, Linux didn't. If we lived in your fantasy world, no one would be using these devices because they wouldn't know how and wouldn't bother to learn because the folks have better things to do. Not everyone is interested in becoming a computer nerd. They have other things they are passionate about. Not everyone thinks the way you do.

Wow, where to begin...

I can't speak for him, but yes, I go out (at least as often as my finances allow; the US dollar doesn't go far in Europe). You're right, those 14 year olds, housewives, and businesspeople do treat them like an appliance, just like they do their computers. The underlying OS and all its complexity is just as hidden as it is on each platform's desktop/laptop counterpart, be that Windows, iOS/OSX, or Android/Linux/UNIX (which is to say, in the case of the Android/Linux/UNIX, it's exactly as hidden as the user wants it to be, no more and no less). All they do see is the pretty UI, and good in their eyes, if not good for them.

As you say, the maturity of the GUIs available today is one of the primary reasons for the success and popularity of these devices. Amusingly, this very fact contradicts your following statement, given the fact that Android is Linux and currently the most popular mobile OS. It is also contradicted by the fact that the most popular and well-known Linux distros have GUIs as mature and robust as those of Windows and OSX by default (right down to their default layouts and behaviours); basically the challenge for Linux is unrelated to basically anything you've mentioned, and has far more to do with closed-off, proprietary hardware and active efforts to break and prevent compatibility on the part of MSFT (and you'll almost never see driver issues on a desktop these days, and Sony, Asus, Acer, and IBM have excellent track records with their laptops when it comes to Linux).

The fantasy is in thinking that this level of ignorance is desirable. We are not living in a fantasy world, but rather the real world, where that level of ignorance will burn you, whether it be on a computer, a phone, or a tablet (and potentially even game consoles, if Ouya puts the pressure on the incumbents to open up a little more and charge a bit less to get onto the platform; arguably the high cost of entry is what helps keep malware out of things like XBLA).

The situation is no different now than the one even a decade ago (and really, the situation never changed), in that the most important thing you can do is educate your users. Teach them to be suspicious of unknowns, do look gift horses in the mouth, and actually READ what permissions you're authorizing an application access to (why exactly does a Solitaire game need my call status, full network access, storage access, and my contact list? Nothing puts a smile on my face like when I go to install something and the pre-install confirmation says "no special permissions required"). The simple fact is that no matter how secure you make any platform, no matter how much scrutiny you use in curating your marketplace, the user will always be a vulnerability. The only way to get around this is to eliminate ALL control and access a user has, and even then a random bug can still fuck you in the ass (just take a look at that impressive GPS attack in the Ars article a couple weeks back; huzzah for received data permanently bricking hardware!).

The weak link is and always will be the user, and in this regard there is no difference between a smartphone, a tablet, and a computer, because guess what? All of these things are computers. They're not those old single-game hand-helds with the fixed-image LCDs, they're not $5 calculators, they're not slide rules. They are fully-functional computers (even the ones that prevent the user access to all those functions, like iOS/OSX, and that's the manufacturer's fault for valuing their control over yours when it comes to YOUR property.)

[...]As to iOS, you're pretty much screwed, and that's Apple's fault for selling an inferior, restricted, and intentionally gimped product, and your fault for buying it in spite of those facts. [...]

I get that you're not an Apple fan, but I don't really see how being able to browse your system files and monitor you loaded drivers makes Android any more inherently secure. Leaving much of of the security verification up to Apple's App review process is certainly different than Google's more hands-off, each individual is responsible for their own security approach, but that doesn't make it worse. Especially for people who aren't as technically sophisticated as you.